Pages

Saturday, September 06, 2008

Layman's WiFi Security

I've often been asked on my thoughts on wireless access. An incomplete history from the top of my head follows plus some useful tips as a result of my personal experience in managing my own SOHO network.

Back ThenThe biggest problems to the use of wifi is improper usage safeguards. When the topic of wireless access came up years ago, it was an expensive and yet useful technology available only to companies that had the budget. Even then the problem was how to proper place the access point within the company network where it would be of benefit business in terms of people moving around the office with laptops in places where no cabling was in place or where doing any cabling would result in the loss of needed meeting spaces or just plain unsightly. Back then the best lockdown features only included WEP (wireless equivalence protocol) and in the best possible combination include MAC address filtering. That still works today for the most part, and in fact I use it as a first level defense. However, due to the technology being new and as prices eventually came down to a level available to small businesses everyone was grabbing off-the-shelf products and just plugging them into their networks. That being said, everything was left on default even to the administrator log-in and password -- very unfortunate and very bad. The result of that would be all the data breaches and war-driving tutorials and attacks published in the public domain and hacker conferences. Loss of brand confidence, data theft, remote break-ins, the lot of it .... you betcha. Around this time, my Netgear wifi hub was some $250 and it only supported 802.11 b/g.

After ThatApparently someone discovered a flaw in WEP and the possibility to spoof even MAC addresses. Now this situation connotes a targeted attack was possible, when in fact it is in reality difficult to sustain a defense against a motivated hacker - wifi or otherwise. A solution came in WPA (wireless prevalence access) and some time after that improvements as WPA2. It also became possible to use digital certificates and all the regular connective security already possible in regular VPN (virtual private network) connections. ISPs have started to roll-out home wi-fi to its subscribers, unfortunately depending in what location some have fallen into the same default installation trap in their zeal to get service to customers*.

Just RecentlyToday the cost of wifi hardware has gone down that its possible for consumers to grab them off any shelf. In fact it would appear that even as the cost of wireless access devices have gone down, their speed has gone up to 802.11 N and have become routing switches. Even better, consumer hardware stateful inspection firewalling has likewise been added to most including NAT (network address translation) and DHCP (dynamic IP addressing) capability. Thats wonderful given that my D-Link cost something like $150.

Perhaps I can't stress this enough and more important perhaps in a home network or office place is to know that if you don't know at which point you place your access point that you could be setting-up yourself for a breach. The best place for this device is of course is in a DMZ (de-militarized zone), meaning outside your main network if your purpose is to provide just basic surfing capability. Unfortunately the reality is that people who want wifi today is to get about the same transparent services as if you were directly wired to the network. In that case, be sure to make it more difficult for an attack to happen!

SummaryNo matter how old or new your wireless access hardware is, demand the following configurations done or read the manuals so you can do it yourself:1. change the default SSID name - avoid confusion to which default access point to connect to and avoid connecting to fake sites and having your traffic inspected in a man-in-the-middle attack.2. disable SSID name broadcast - cloaking your access point makes it difficult for war-drivers to attack you; note that some gadgets and devices won't like this unless you hard wire the connection details3. use WEP/WPA/WPA2 with a 128-bit key - elementary since its harder to guess a 128 key versus a default 64-bit key4. use MAC filtering - essentially this limits the set of rogue devices that can get on your network even if they were able to discover your SSID or password phrase key5. location, location, location - know where you're connecting your access point and assume that devices connected to it will inherit the same network paths, unless you specifically limit them by configuring inbound/outbound filter rules